From 26ee2896b22f01b5d97525e35a76bd65067decce Mon Sep 17 00:00:00 2001 From: Brian Long Date: Tue, 7 Mar 2023 15:18:54 -0500 Subject: [PATCH] added ticket invalidation on group change --- .../keycloak-authentication-context.xml | 1 + .../KeycloakTokenGroupSyncProcessor.java | 20 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml index c8284f1..40d3535 100644 --- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml +++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml @@ -222,6 +222,7 @@ + diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java index c2cff17..1bfbcd3 100644 --- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java +++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java @@ -25,6 +25,7 @@ import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.transaction.AlfrescoTransactionSupport; import org.alfresco.repo.transaction.AlfrescoTransactionSupport.TxnReadState; import org.alfresco.service.cmr.repository.DuplicateChildNodeNameException; +import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.cmr.security.AuthorityService; import org.alfresco.service.cmr.security.AuthorityType; import org.alfresco.service.cmr.security.PermissionService; @@ -63,6 +64,8 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali protected TransactionService transactionService; protected AuthorityService authorityService; + + protected AuthenticationService authenticationService; protected Collection authorityExtractors; @@ -159,7 +162,14 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali if (this.syncGroupMembershipOnLogin) { AuthenticationUtil.runAsSystem(() -> this.transactionService.getRetryingTransactionHelper().doInTransaction(() -> { - this.syncGroupMemberships(groups); + boolean changed = this.syncGroupMemberships(groups); + if (changed) { + String ticket = this.authenticationService.getCurrentTicket(); + if (ticket != null) { + LOGGER.debug("Invalidating Alflresco ticket as group membership changed: {}", ticket); + this.authenticationService.invalidateTicket(ticket); + } + } return null; }, false, requiresNew)); } @@ -222,11 +232,13 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali * * @param groups * the Alfresco group authorities as determined from the Keycloak access token for the current user + * @return true if group membership changed */ - protected void syncGroupMemberships(final Collection groups) + protected boolean syncGroupMemberships(final Collection groups) { final String userName = AuthenticationUtil.getFullyAuthenticatedUser(); final String maskedUsername = AlfrescoCompatibilityUtil.maskUsername(userName); + boolean changed = false; LOGGER.debug("Synchronising group membership for user {} and token extracted groups {}", maskedUsername, groups); @@ -241,6 +253,7 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali { LOGGER.debug("Adding user {} to group {}", maskedUsername, group); this.authorityService.addAuthority(group, userName); + changed = true; } } @@ -248,6 +261,9 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali { LOGGER.debug("Removing user {} from group {}", maskedUsername, group); this.authorityService.removeAuthority(group, userName); + changed = true; } + + return changed; } } \ No newline at end of file